@metamask/assets-controller 6.3.0

Added

• Seed mUSD (0xaca92e438df0b2401ff60da7e4337b687a2435da) as a default tracked asset on Ethereum mainnet (eip155:1), Linea (eip155:59144), and Monad testnet (eip155:143) (#8616)
  • assetsInfo is pre-populated in default controller state so mUSD metadata is available before any on-chain fetch completes.
  • Zero-balance entries are written into assetsBalance at startup, on account/network changes, and immediately when the user adds a chain that has default tracked assets.
  • New exports: DEFAULT_TRACKED_ASSETS_BY_CHAIN, CHAINS_WITH_DEFAULT_TRACKED_ASSETS, DEFAULT_ASSET_METADATA, buildDefaultAssetsInfo, getDefaultTrackedAssetsForChain, getDefaultAssetMetadata.

Changed

• Bump @metamask/permission-controller from ^12.3.0 to ^13.0.0 (#8661)
• Bump @metamask/assets-controllers from ^105.0.0 to ^105.1.0 (#8661)
• Bump @metamask/keyring-api from ^23.0.1 to ^23.1.0 (#8647)
• Bump @metamask/keyring-internal-api from ^10.1.1 to ^11.0.1 (#8584, #8647)
• Bump @metamask/keyring-snap-client from ^9.0.1 to ^9.0.2 (#8647)
• Bump @metamask/messenger from ^1.1.1 to ^1.2.0 (#8632)
• Bump @metamask/keyring-controller from ^25.2.0 to ^25.3.0 (#8634)
• Bump @metamask/network-controller from ^30.0.1 to ^30.1.0 (#8636)

Fixed

• Correct mUSD default tracked metadata decimals from 18 to 6 so seeded balances and formatting align with token contract precision (#8664)

@metamask/assets-controllers 105.1.0

Added

• Seed mUSD (0xaca92e438df0b2401ff60da7e4337b687a2435da) into allTokens state as a default tracked asset on Ethereum mainnet (0x1), Linea (0xe708), Monad mainnet (0x8f), and Monad testnet (0x279f) (#8620)
  • TokenDetectionController.start() now calls TokensController:addTokens for mUSD on every supported chain that is configured in NetworkController — this is the primary trigger and uses the proven addTokens API. Re-runs on AccountsController:selectedEvmAccountChange (since addTokens only seeds for the currently selected account).
  • TokensController also seeds mUSD directly into state as a defense-in-depth measure: at startup for existing EVM accounts, on accounts already in persisted allTokens state, on AccountsController:accountAdded, on AccountsController:selectedEvmAccountChange, on KeyringController:unlock, on NetworkController:networkAdded, and on NetworkController:stateChange add patches.
  • TokensControllerMessenger now requires NetworkControllerNetworkAddedEvent, AccountsControllerAccountAddedEvent, and KeyringControllerUnlockEvent as allowed events.
• Add ZetaChain network support (7000/0x1b58) (#8627)

Changed

• Bump @metamask/permission-controller from ^12.3.0 to ^13.0.0 (#8661)
• Bump @metamask/keyring-api from ^23.0.1 to ^23.1.0 (#8647)
• Bump @metamask/keyring-internal-api from ^10.1.1 to ^11.0.1 (#8584, #8647)
• Bump @metamask/messenger from ^1.1.1 to ^1.2.0 (#8632)
• Bump @metamask/keyring-controller from ^25.2.0 to ^25.3.0 (#8634)
• Bump @metamask/network-controller from ^30.0.1 to ^30.1.0 (#8636)

Fixed

• Correct the seeded mUSD token decimals from 18 to 6 in TokensController and TokenDetectionController defaults so tracked token metadata matches contract precision (#8664)

@metamask/eip1193-permission-middleware 2.0.0

Changed

• BREAKING: Consolidate method handlers into a single methodHandlers export (#8583)
  • The individual handler exports have been removed. They can still be accessed as properties on the methodHandlers export.
  • The new handlers follow the format expected by createMethodMiddleware from @metamask/json-rpc-engine@10.3.0.
  • The hook types have been updated to cohere with the corresponding @metamask/permission-controller methods.
• Bump @metamask/json-rpc-engine from ^10.2.0 to ^10.3.0 (#7642, #7856, #8078, #8317, #8661)
• Upgrade @metamask/utils from ^11.8.1 to ^11.9.0 (#7511)
• Bump @metamask/controller-utils from ^11.16.0 to ^11.20.0 (#7534, #7583, #7995, #8344)
• Bump @metamask/permission-controller from ^12.1.1 to ^13.0.0 (#7559, #8225, #8317, #8661)
• Bump @metamask/chain-agnostic-permission from ^1.3.0 to ^1.5.0 (#7567, #8290)

@metamask/json-rpc-engine 10.3.0

Added

• Add createOriginMiddleware utility to v2 (#8522)
• Add createMethodMiddleware utility to v2 (#8506, #8583)
  • This utility allows JSON-RPC method implementations to use both the hooks pattern and the messenger.
• Add legacy createMethodMiddleware (#8583)
  • Consolidates bespoke makeMethodMiddlewareMaker implementations from the MetaMask extension and mobile clients.
  • Handlers may now declare actionNames and receive a delegated messenger as the sixth argument to implementation, mirroring the v2 createMethodMiddleware.
  • Deprecated in favor of the v2 createMethodMiddleware.

Changed

• Bump @metamask/messenger from ^1.1.1 to ^1.2.0 (#8632)

@metamask/multichain-api-middleware 3.0.0

Added

• Add MethodHandlerHooks type, the intersection of all method handler hook types (#8583)
  • Consumers can use this to type the hooks object passed to createMethodMiddleware without restating each handler's hooks individually.

Changed

• BREAKING: Consolidate method handlers into a single methodHandlers export (#8583)
  • The individual handler exports have been removed. They can still be accessed as properties on the methodHandlers export.
  • The new handlers follow the format expected by createMethodMiddleware from @metamask/json-rpc-engine@10.3.0.
  • The hook types have been updated to cohere with their corresponding MetaMask controller methods.
• BREAKING: Make trackSessionCreatedEvent hook required in wallet_createSession handler (#8583)
  • If the hook is not required, null can be passed instead.
• Bump @metamask/json-rpc-engine from ^10.2.3 to ^10.3.0 (#8317, #8661)
• Bump @metamask/network-controller from ^30.0.0 to ^30.1.0 (#8317, #8636)
• Bump @metamask/permission-controller from ^12.2.1 to ^13.0.0 (#8317, #8661)
• Bump @metamask/multichain-transactions-controller from ^7.0.3 to ^7.0.4 (#8325)
• Bump @metamask/controller-utils from ^11.19.0 to ^11.20.0 (#8344)

Fixed

• wallet_invokeMethod fails early with an invalidParams error when the params object is not an object (#8583)
  • Previously it would fail with a less specific error.
• wallet_revokeSession now returns true when no active session exists and specific scopes are requested, consistent with its full-revoke behavior (#8583)
  • Previously it would return an internal error.

@metamask/permission-controller 13.0.0

Added

• Add createPermissionMiddlewareV2, a JsonRpcEngineV2 variant of the standalone permission middleware factory (#8532)
• Add messenger option to permission specification builders, allowing restricted-method specs to receive a scoped messenger in place of methodHooks (#8551)
  • Use the actionNames field on the specification builder and createRestrictedMethodMessenger to construct the scoped messenger.

Changed

• BREAKING: Decouple the permission middleware from PermissionController and expos...

@metamask/transaction-pay-controller 20.1.0

Added

• Export TransactionData type from public API (#8630)

Changed

• Abort in-flight quote requests when a newer request is made for the same transaction, preventing stale responses from overwriting newer ones (#8612)
• Bump @metamask/messenger from ^1.1.1 to ^1.2.0 (#8632)
• Bump @metamask/network-controller from ^30.0.1 to ^30.1.0 (#8636)

@metamask/chomp-api-service 3.0.0

Changed

• BREAKING: update types and methods of chomp-api-service to properly reflect the API (#8635)
• Bump @metamask/messenger from ^1.1.1 to ^1.2.0 (#8632)

@metamask/money-account-upgrade-controller 1.3.0

Changed

• Bump @metamask/chomp-api-service from ^2.0.0 to ^3.0.0 (#8651)
• Bump @metamask/messenger from ^1.1.1 to ^1.2.0 (#8632)
• Bump @metamask/keyring-controller from ^25.2.0 to ^25.3.0 (#8634)
• Bump @metamask/network-controller from ^30.0.1 to ^30.1.0 (#8636)

Fixed

• Fix the associate-address step to detect the already-associated case via status: 'active'. (#8635)

@metamask/config-registry-controller 0.3.0

Changed

• Bump @metamask/keyring-controller from ^25.1.1 to ^25.3.0 (#8363, #8634)
• Bump @metamask/profile-sync-controller from ^28.0.1 to ^28.0.2 (#8325)
• Bump @metamask/controller-utils from ^11.19.0 to ^11.20.0 (#8344)
• Bump @metamask/messenger from ^1.0.0 to ^1.2.0 (#8364, #8373, #8632)
• Bump @metamask/base-controller from ^9.0.1 to ^9.1.0 (#8457)

Fixed

• ConfigRegistryApiService now accepts chains with no assets.listUrl property (#8624)

@metamask/network-controller 30.1.0

Added

• Expose missing public NetworkController methods through its messenger (#8350)
  • The following actions are now available:
    • NetworkController:enableRpcFailover
    • NetworkController:disableRpcFailover
    • NetworkController:getProviderAndBlockTracker
    • NetworkController:getNetworkClientRegistry
    • NetworkController:initializeProvider
    • NetworkController:lookupNetwork
    • NetworkController:lookupNetworkByClientId
    • NetworkController:get1559CompatibilityWithNetworkClientId
    • NetworkController:resetConnection
    • NetworkController:rollbackToPreviousProvider
    • NetworkController:loadBackup
  • Corresponding action types are available as well.
• Add getEthQuery method to NetworkController (#8350)

Changed

• Bump @metamask/controller-utils from ^11.19.0 to ^11.20.0 (#8344)
• Bump @metamask/eth-json-rpc-middleware from ^23.1.1 to ^23.1.3 (#8550, #8611)
• Bump @metamask/messenger from ^1.0.0 to ^1.2.0 (#8364, #8373, #8632)
• Bump @metamask/base-controller from ^9.0.1 to ^9.1.0 (#8457)

Deprecated

• NetworkControllerGetNetworkConfigurationByNetworkClientId type is deprecated in favor of NetworkControllerGetNetworkConfigurationByNetworkClientIdAction (#8350)
• Deprecate AbstractRpcService and RpcServiceRequestable (#8475)
  • There are no equivalents to these interfaces. If you need to take an "RPC-service-like" argument, it's best to declare which properties you're interested in rather than accepting the entire RPC service interface.

@metamask/keyring-controller 25.3.0

Added

• Expose KeyringController:exportSeedPhrase method through KeyringController messenger (#8587)
• Expose KeyringController:isUnlocked method through KeyringController messenger (#8573)
  • Returns true when the vault is unlocked, false otherwise. Mirrors state.isUnlocked and the isUnlocked() instance method, allowing consumers to check lock status via the messenger without holding a controller reference.
• Add withController action to run atomic operations on multiple keyrings (within a single transaction) (#8416)
  • This action uses a RestrictedController object that exposes addNewKeyring and removeKeyring methods to add and remove keyring during the transaction (atomic) call.
• Expose KeyringController:signTransaction method through KeyringController messenger (#8408)
• Persist vault when keyring state changes during unlock (#8415)
  • If a keyring's serialized state differs after deserialization (e.g. a migration ran, or metadata was missing), the vault is now re-persisted so the change is not lost on the next unlock.
• Added KeyringV2 support (#8390)
  • The controller now maintains a list of KeyringV2 instance in memory alongside previous Keyring instance.
  • This new keyring interface is more generic and will become the new standard to interact with keyring (creating accounts, executing logic that involves accounts like signing, etc...).
  • For now, most KeyringV2 are wrappers (read adapters) around existing Keyring instance.
• Added withKeyringV2Unsafe method and KeyringController:withKeyringV2Unsafe messenger action for lock-free read-only access to KeyringV2 adapters (#8390)
  • Mirrors withKeyringUnsafe semantics: no mutex acquired, no persistence or rollback.
  • Caller is responsible for ensuring the operation is read-only and accesses only immutable keyring data.
• Added withKeyringV2 method and KeyringController:withKeyringV2 messenger action for atomic operations using the KeyringV2 API (#8390)
  • Accepts a KeyringSelectorV2 to select keyrings by type, address, id, or filter.
  • Ships with default V2 builders for HD (HdKeyringV2) and Simple (SimpleKeyringV2) keyrings; additional builders can be registered via the keyringV2Builders constructor option.

Changed

• Bump @metamask/messenger from ^1.0.0 to ^1.2.0 (#8364, #8373, #8632)
• Bump @metamask/base-controller from ^9.0.1 to ^9.1.0 (#8457)
• Bump @metamask/eth-hd-keyring from ^13.1.1 to ^14.0.1 (#8464)
• Bump @metamask/eth-simple-keyring from ^11.1.2 to ^12.0.1 (#8464)
• Bump @metamask/keyring-api from ^21.6.0 to ^23.0.1 (#8464)
• Bump @metamask/keyring-internal-api from ^10.0.0 to ^11.0.0 (#8464, #8584)

@metamask/messenger 1.2.0

Added

• Allow overriding action handler in subclass (#8617)
  • The Messenger class now has a protected getAction method which returns the action handler for a given action name.
• Add subscribeOnce and waitUntil utility methods to Messenger (#8575)

Deprecated

• Deprecate generate-action-types CLI tool and messenger-generate-action-types binary (#8378)
  • The CLI has been extracted to @metamask/messenger-cli. Use messenger-action-types from this package instead.

Fixed

• Throw different error for missing delegated actions (#8557)

@metamask/assets-controller 6.2.1

Changed

• Bump @metamask/transaction-controller from ^64.4.0 to ^65.0.0 (#8613)
• Bump @metamask/assets-controllers from ^104.3.0 to ^105.0.0 (#8622)

@metamask/assets-controllers 105.0.0

Added

• Expose missing public CurrencyRateController methods through its messenger (#8561)
  • The following actions are now available:
    • CurrencyRateController:setCurrentCurrency
    • CurrencyRateController:updateExchangeRate
  • Corresponding action types (e.g. CurrencyRateControllerSetCurrentCurrencyAction) are available as well.

Changed

• BREAKING: Standardize names of CurrencyRateController messenger action types (#8561)
  • The GetCurrencyRateState messenger action has been renamed to CurrencyRateControllerGetStateAction to follow the convention. You will need to update imports appropriately.
  • These changes only affect the types. The action type strings themselves have not changed, so you do not need to update the list of actions you pass when initializing CurrencyRateController messenger.
• MultichainAssetsController: Restore fail-open behavior for Blockaid spam token filter (#8580)
  • Uses blacklist approach: only rejects tokens explicitly marked as malicious by Blockaid
  • When Blockaid bulk token scan API calls fail or return no results, tokens are allowed through
  • This prevents legitimate tokens from being blocked due to API outages, network issues, or missing token data
  • Malicious tokens that slip through are caught by the periodic rescan (runs daily by default)
• Bump @metamask/transaction-controller from ^64.3.0 to ^65.0.0 (#8585, #8613)

Fixed

• Fix selectAssetsBySelectedAccountGroup crashing when an account referenced in the account tree is missing from internal accounts (#8604)

@metamask/bridge-controller 71.0.0

Added

• BREAKING: Add quickBuy and dappSwap FeatureIds for external swap quote consumers (#8598)
• BREAKING: Add market_closed and quote_expired QuoteWarning (#8598)
• Add tokenSecurityTypeDestination: string | null to BridgeControllerState (default null), set via updateBridgeQuoteRequestParams and reset by resetState (#8595)

Changed

• BREAKING: Add required token_security_type_destination: string \| null to RequestParams, RequiredEventContextFromClient[InputSourceDestinationSwitched], and the context arg of updateBridgeQuoteRequestParams; emitted on every analytics event that includes token_address_destination (#8595)
• BREAKING: getRequestParams now takes a second positional argument tokenSecurityTypeDestination: string \| null (#8595)
• Bump @metamask/transaction-controller from ^64.3.0 to ^65.0.0 (#8585, #8613)
• Bump @metamask/assets-controller from ^6.1.0 to ^6.2.1 (#8590, #8622)
• Bump @metamask/assets-controllers from ^104.3.0 to ^105.0.0 (#8622)

@metamask/bridge-status-controller 71.1.0

Added

• Add optional tokenSecurityTypeDestination?: string \| null to BridgeHistoryItem, StartPollingForBridgeTxStatusArgs[Serialized], and the submitTx / submitIntent arguments; when provided, it's persisted on the history item and emitted as token_security_type_destination on post-submit analytics events (#8595)

Changed

• Bump @metamask/transaction-controller from ^64.3.0 to ^65.0.0 (#8585, #8613)
• Bump @metamask/bridge-controller from ^70.2.0 to ^71.0.0 (#8622)

@metamask/transaction-pay-controller 20.0.1

Changed

• Bump @metamask/assets-controller from ^6.2.0 to ^6.2.1 (#8622)
• Bump @metamask/assets-controllers from ^104.3.0 to ^105.0.0 (#8622)
• Bump @metamask/bridge-controller from ^70.2.0 to ^71.0.0 (#8622)
• Bump @metamask/bridge-status-controller from ^71.0.0 to ^71.1.0 (#8622)

@metamask/chomp-api-service 2.0.0

Changed

• BREAKING: Change AssociateAddressParams.timestamp type from string to number. (#8610)

@metamask/money-account-upgrade-controller 1.2.0

Changed

• Bump @metamask/chomp-api-service from ^1.0.0 to ^2.0.0 (#8618)

Fixed

• Send the CHOMP authentication timestamp as a number instead of a string in the associate-address step. (#8610)

@metamask/transaction-controller 65.0.0

Added

• Expose TransactionController:wipeTransactions method through TransactionController messenger (#8592)

Changed

• estimateGasBatch now skips the EIP-7702 path when the account's keyring does not support it, falling back to per-transaction gas estimation (#8388)
• doesAccountSupportEIP7702 now returns false instead of true when the account is not found in any keyring (#8388)
• BREAKING: Add KeyringControllerGetStateAction to AllowedActions to enable keyring-based EIP-7702 account compatibility checks in addTransactionBatch (#8388)
  • addTransactionBatch now automatically checks whether the account's keyring supports EIP-7702 before attempting the 7702 batch path, falling back to STX/sequential when unsupported
  • Clients must add KeyringController:getState to the TransactionController messenger's allowed actions

Fixed

• Fix batch transaction signing so each transaction is signed sequentially, preventing remaining hardware wallet prompts from appearing after a rejection (#8388)

@metamask/transaction-pay-controller 20.0.0

Changed

• Rename executeEnabled feature flag to gaslessEnabled (#8607)
• Bump @metamask/transaction-controller from ^64.3.0 to ^65.0.0 (#8585, #8613)
• Bump @metamask/assets-controller from ^6.1.0 to ^6.2.0 (#8590)

Fixed

• Fall back from Across to later pay strategies when Across quotes would require a first-time EIP-7702 authorization list (#8577)
• BREAKING: Fix mUSD conversion for hardware wallets on EIP-7702 chains by gating relay and Across 7702 paths on the account keyring type via KeyringController:getState (#8388)
  • The TransactionPayControllerMessenger now requires KeyringController:getState permission.